Symantec 'Hack Is Wack' Website Fixed

Symantec has fixed a number of security holes in the Website for its "Hack is Wack" contest.

Symantec has cleaned up vulnerabilities in the Website for its "Hack
is Wack" contest.
The contest is a partnership between
the security vendor and rapper Snoop Doggy Dogg to promote computer
security and Symantec's Norton products. Aspiring rappers are asked to post a
rap video about cyber-crime, with the creator of the best video winning tickets
to a Snoop concert, a Toshiba laptop, hotel accommodations and a meeting with
his management team.

However, the "Hack is Wack" site had a number of security holes
the vendor was recently forced to close. According to security
researcher Mike Bailey, the Website contained problems ranging from
cross-site scripting to cross-site request forgery.

"For example, there's the publicly available, indexed cache directory with all that SQL,
JSON and other data," he blogged Sept. 2. "There's the XSS
vulns (HTML5 only, though it should be simple enough to rewrite), CSRF
holes, and the Flash upload issues in the video upload script (a Joomla module
that appears to have been used without any quality control or review despite
the fact that it's currently in Alpha)."
There were also cross-site
request forgery issues in the voting system for uploaded videos.
"Symantec was made aware of reported vulnerabilities to the Norton Hack
is Wack microsite, and we quickly took the necessary steps to enhance security
on the site," a spokesperson said in a statement to eWEEK. "To date,
Symantec can confirm that no company or customer data has been compromised or
exposed. Symantec takes the security of our website and microsites very
seriously, and we have taken the necessary steps to resolve this issue."
The contest ends Sept.30.